Slashdot Mirror
Google Shares Its Security Secrets
Stony Stevenson writes "Google presents a big fat target for would-be hackers and attackers. At the RSA conference Google offered security professionals a look at its internal security systems. Scott Petry, director of Google's Enterprise and founder of security firm Postini, explained how the company handles constant pressure and scrutiny from attackers. In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value.' The program includes mandatory security training for developers, a set of in-house security libraries, and code reviews by both Google developers and outside security researchers."
Google fights scrutiny with scrutiny (and by having more PHDs than you).
The dangers of knowledge trigger emotional distress in human beings.
I was going to say something smart about Microsoft, Mac etc, but then Google do have the advantage that they were founded on the internet, once the benefits but also the threats of networking computers had been fully understood.
I'd be surprised if any from-scratch operating system designed for internet-facing use today, didn't also have 'security as a culture'.
But hey, there's always Vista ;)
Is crushing a suspect's child's testicles illegal?
John Yoo: "No, [if] the President thinks he needs to do that."
... why so much spam comes from gmail, or usenet spam from Google groups.
Have gnu, will travel.
Google presets a big fat target for would-be hackers and attackers.
Must be a new Google appliance. I'm glad it is preset, and does not need any end-user configuration.
In any case, I commute on the train with Google guys in NY. They use their laptops to work on the train, but have those little wireless security devices that generate random passwords for them when they want to log in, so their connection is fully encrypted.
$nice = $webHosting + $domainNames + $sslCerts
How many buffer overrun exploits have been found in other people's software because the coders are just lazy? Google also tries to prevent this by explicit rules that everyone must follow no matter what: for example, you are not allowed to check in code using sprintf instead of snprintf.
A little thing to be sure... until you realize that it's one of many such rules, and they actually are followed.
TFA is a little scant on "security secrets."
What is covered is some general security policy and philosophy.
And here I was, waiting to read all about GIDS and GFirewall. Thanks, ITNews, for instead educating be about archiving security logs for later review!
How does an article that has no technical content, no news, and no information make it to the front page of a tech new site? Oh yeah, this is Slashdot, fake journalism at its best.
That article literally had no content whatsoever. In fact I think it was so content free that I might know less about how Google does security now.
Is there a page two I'm missing?
I've run into a several Google security people at conferences like Blackhat and RSA. They've always struck me as rather arrogant, self absorbed, and poorly informed. One of them actually went on a tirade about how nothing could compare to the risk of an XSS bug in Google's homepage. In the same conversation he also showed a complete failure to grasp how a heap overflow occurs or how process isolation works.
I admit, that guy was the worst of the bunch, but but I continue to be unimpressed by their security people. It's a shame too. I know for a fact they have some really bright people, but none of them appear to be in the security space.
Anyone else notice the Goatse image on the page?
This article at the San Francisco Chronicle doesn't tell me exactly what is going on, but apparently there is the potential for 7 of 10 search results to return malware.
My mother heard about this on the TV news, but the above was all I could find. Anyone else have any more detail?
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
"I've run into a several Google security people at conferences like Blackhat and RSA. They've always struck me as rather arrogant, self absorbed, and poorly informed"
.. :)
Who did you represent at these conferences, what were the names of these 'Google security people'. It's not that I don't doubt your word or anything.
Who invented 'heap overflow '
davecb5620@gmail.com
Two guys are out camping. They get ready to bed down, and guy is putting on his sneaker before getting into his sleeping bag. The other guy inquires, what's up with that?
The guy says, in case a bear attacks our camp during the night.
The other guy is skeptical. With sneakers or without, there's no way you can out-run a bear.
The guy replies, I don't need to out-run the bear. I just need to out-run you.
I suspect Google security is pretty much the same way, with a twist. Why try to hack Google, when I can use Google to find credit card numbers, unsecured plain text password files, servers running old, unpatched versions of vulnerable software, etc.
I'd think the hacker going after Google would be as popular as the kid who rats out the teacher who buys the kids beer.
I get 1.6 million hits from Google themselves. They may be overestimating their security practices just a wee bit.
In my experience as CTO of a respected software development company (Digital Focus), and since then as a consultant in the field of assurance and methodology, I have found that in general developers are not interested in security. E.g., my book, High-Assurance Design, which looks at application architecture from a security and reliability perspective, sells in very low numbers, while my Java books sold in very high numbers. "Hacker" books sell well because many developers want a "quick fix" to their apps, without really understanding security. And consumers are not interested in security either. Just look at Vista: its primary value proposition is that it is more secure. As a result, it is slower, and some drivers and apps don't work. (If you make things more secure, some things will break.) Witness the tremendous push-back by people, claiming that Vista is a "step backward". I myself use a Mac most of the time, but even given Vista's ill-conceived attempts at content protection, I find it interesting that people do not recognize the core value of Vista over XP (security). To me, it proves my point: people don't value security, until something bad happens to them personally.
I still find it surprising that it ICMP_ECHO_REPLYs my ICMP_ECHO_REQUESTs. Why?
A lot of sites disable ping because, years ago, The Ping of Death could crash a server by sending maliciously-crafted ping packets.
And you can DOS a server by flooding it with pings.
I'd be interested to know just how many pings Google receives, and replies to each day.
And how many of those are maliciously encoded, only to be defeated by the ub3rh4x0r5 at Google.
Request your free CD of my piano music.
What about physical security for Google facilities? Last time I was in Mountain View I took a leisurely stroll right through the middle of the Googleplex, right past the life sized dinosaur skeleton, right past the sand volleyball court and hot tub and right through a couple of their office buildings. I like how the Googleplex is set up like an academic campus, but it's pretty trivial for a bad guy to bypass the card access doors by piggybacking behind somebody else.
Also, the whole place is made out of floor to ceiling glass windows. Would be really simple to shoulder surf somebody's display through a telescopic lens or listen against a windows with a laser mic. There's a reason high security buildings tend to resemble windowless block houses. Hopefully, anybody with a window seat at the Googleplex never processes sensitive data.
I'm a bit down on Postini lately. A few months ago, they started marking my personal e-mails to Postini customers as spam. Which is kinda ironic. And pretty damned annoying, since my lawyer, my broker, my apartment manager and my chiropractor are all on Postini servers. But hey, that happens. I went over my server with a fine-tooth comb, I set up SPF, DomainKey, DKIM, no luck. I even switched servers. No matter. My e-mail, now digitally signed in triplicate, was still being scored as 90% probable spam.
So I tried to get in touch with their postmaster group. Only they don't have one. And I tried to check their feedback loop. Only they don't have one. As a shareholder, I even wrote to Investor Relations. No response. In the process, I found out that they have a universally awful reputation among the mail delivery community.
In the end, all they could tell me was that their system decided my mail was spam because - I kid you not - their system had, previously, decided my mail was spam. Which, of course, increases my spamminess score. And so on, and so on, until we're all using the same shampoo.
So, to recap: The guy in charge of keeping Google secure, Scott Petry, is the guy who invented a system that bit-buckets your e-mail, with absolutely no accountability, no sanity checks, no industry best practices... because of guilt by association WITH YOURSELF.
Be afraid. Be very afraid.
"Scott Petry, director of Google's Enterprise"
The big secret? apparently google is developing a starship
In security circles it is well known that security through obfuscation or obscurity is no security at all. By publishing their security internals Google is setting a good example for the industry at large which still lacks faith in security-through-transparency.
Classic!!!! LOL
Quoted from the story:
If you have bad intentions and want to get a reputation, hacking Google is the best way to get credibility on the streets.
I don't know if you've ever been to West Oakland, but I seriously doubt that hacking Google is going to win me any credibility on the streets here.
... unless hacking Google gives you gold chains a bulletproof Buick.
"It was hell!" recalls former child.
I still find it surprising that it ICMP_ECHO_REPLYs my ICMP_ECHO_REQUESTs. Why? I find it surprising that you find it surprising!
Ping is a service we all should provide to our internal networks from individual hosts, and to the Internet at large at the network edge. Configure your routers to respond to pings for your hosts instead of passing them through the firewalls. Ping is how people who need to test their ability to reach your hosts or site can do so. It is a simple tool that consumes a minimal amount of bandwidth to get the job done. I'd be interested to know just how many pings Google receives, and replies to each day. They might tell you if you ask. If it ever gets out of hand they'll just respond with normal traffic shaping techniques. And how many of those are maliciously encoded, only to be defeated by the ub3rh4x0r5 at Google. There's nothing dangerous about ping. Nothing... you can tell if a network is competently administered just by pinging it, my friend. I'd never hire anyone who had an unpingable net.
Hmmm... where's BadAnalogyGuy when you need him? OK, look, blocking ping is like saying that you've seen a guy killed by an Isuzu truck, so you think you can prevent all fatal accidents by banning Isuzu trucks from the highway. In reality, all you will do is prevent beer deliveries to my house, since my beer distributor uses Isuzus. This will make me hate you, just like people hate clueless firewall admins who block ICMP. Or wait, you saw a guy get bludgeoned to death with a hammer so you will ban all hammers while allowing people with large wrenches, razor knives and screwdrivers to pass without comment. That was pretty bad I think.
If Google values security so much, why can't do they anything about their open redirectors? After all, this has been abused by spammers and phishing scammers for weeks, so maybe it's time to finally do something about it.
The most secure way to treat peoples information is to not store it in the first place.
Seriously, most of the security holes found in software are there because the company won't pay the coders to sit around securing the finished product once it seems to work. I've been on many project where we were told to even use mere QA time to instead add a new feature the client wanted. Were we being "lazy" because we didn't do all that work for them for free later, in our massive amounts of free time?
As long as software customers choose features over bugs and/or security holes, that's what the market will deliver. Even sadder than that, is that any coder gets so little practice writing bug-free, secure code; that in the very few situations where that's not the case they subsequently have precious little experience at it.
I've left lots of vulnerabilities in code I've written for people because they knowingly made those trade-offs. But when I write code for myself, I don't have that "culture of security" mindset and probably leave a lot more vulnerabilities in it than I would otherwise.